How group mapping supports multiprotocol access to Infinite Volumes

Group mapping improves the accuracy of permissions that appear when NFSv4.1 clients display the ACL of a file or directory that has NTFS file permissions. If an Infinite Volume supports both NFSv4.1 ACLs and SMB, you should configure group mapping, which is similar to user mapping.

Why group mapping is necessary

Groups are often used in ACLs to simplify security management. However, groups in multiple Windows domains cannot be easily translated to the groups of a single NFSv4.1 domain.

Mapping groups from Windows to UNIX ensures that group names appear when NFSv4.1 ACLs are displayed on NFSv4.1 clients.

If a Windows group is not mapped to a UNIX group and a default UNIX group is not configured, the Windows group is displayed to an NFSv4.1 client as nobody (specifically nobody@v4-id-domain).

What group mapping is required

If an Infinite Volume supports both SMB and NFSv4.1 ACLs, you should perform the following configurations:

Create a Windows-to-UNIX mapping for every Windows group.

Define a default UNIX group that is used when no mapping exists for a Windows group and the lowercase name of the Windows group is not a valid group name in the UNIX domain.

Comparison of user and group mapping

Group mapping and user mapping share the following similarities:

They can both be defined either using Data ONTAP or using LDAP.

If they are defined using Data ONTAP, they are defined in a similar way and using the same conversion rules.

For information about conversion rules in user and group mappings, see either the NFS Reference or the CIFS Reference.

Group mapping is unique in the following ways:

It is available only on Storage Virtual Machines (SVMs) with Infinite Volume, not SVMs with FlexVol volumes.

It is necessary only if anSVM is configured for both SMB and NFSv4.1, including NFSv4.1 ACLs.

It does not affect access; it affects only what NFSv4.1 clients display.

During access checks, a user's group membership is determined in the same way on all SVMs.